Cybersecurity is a broad domain, and achieving good cyber hygiene requires a holistic approach comprised of various tools, processes, and policies. A foundation for these efforts is asset visibility – you cannot protect and manage what you don’t know exists. IT asset management (ITAM) and configuration management database (CMDB) are two platforms that seek to help enterprises manage their IT assets. However, a significant difference is that ITAM serves business purposes, while configuration management database is more service-orientated.
Differentiating Table Between ITAM and CMDB
|IT Asset Management (ITAM)||Configuration Management Database (CMDB)|
|An ITAM platform generates an IT asset inventory for the enterprise.||A CMDB is a repository containing all relevant information about a company’s hardware and software IT components (known as configuration items) and the relationships between these components.|
|Through this inventory, ITAM facilitates the oversight, tracking, management, and optimization of IT assets for business and/or financial purposes.||A CMDB allows enterprises to track and, more importantly, understand their IT services from an operational perspective by identifying and verifying each component.|
|Deep insights provided by the ITAM solution enables the enhancement of business operations, contributing to areas such as risk management and cost optimization. In fact, the latter was the key driver behind ITAM investments for 74% of organizations, according to Deloitte (IT Asset Management (ITAM)).||The CMDB information means enterprises benefit from better management of their infrastructure and any associated risks that may disrupt productivity. In short, a CMDB helps ensure continued service performance. A CMDB can also overlap with and support an ITAM database.|
Nevertheless, despite supporting distinct purposes, both ITAM and Configuration Management Database provide an asset inventory. And the two are likely to overlap. However, visibility gaps limit the accuracy of the asset inventory, thus minimizing the efficacy of ITAM and Configuration Management Database platforms.
What You See is Not Always What You Get
ITAM and Configuration Management Database platforms rely on various identifiers when generating hardware asset inventories, such as a device’s MAC address, VID, PID, Class ID. However, these parameters can easily get spoofed. And a lack of Layer 1 visibility limits ITAM and Configuration Management Database platforms from differentiating between legitimate and spoofed devices. Furthermore, the Layer 1 visibility gap means MAC-less devices go completely undetected. And unaccounted for by ITAM and Configuration Management Database solutions.
The physical layer blind spot results in an inaccurate hardware asset inventory, whether the device has been misidentified or is absent entirely. Either way, the efficacy and value of ITAM and Configuration Management Database are significantly reduced. Without an accurate asset inventory, the platforms cannot meet their purpose. Enterprises are (unknowingly) relying on an unreliable inventory to make business and operational decisions.
A major problem with an inaccurate asset inventory is that vulnerabilities go unaccounted for, significantly limiting risk management efforts due to the warped perception of the enterprise’s risk posture. Even more worrisome is that malicious actors exploit the physical layer blind spot through the use of rogue devices – spoofed peripherals or hidden network implants. And the enterprise cannot mitigate such threats. Instead, these devices operate covertly and can conduct a myriad of harmful attacks. For instance, malware injection, data theft, espionage, Man in the Middle Attack – MITM, and more.
I Spy With my HAC-1 Eye
To conclude, Sepio’s HAC-1 Hardware Access Control platform provides a panacea to gaps in device visibility by covering physical layer. No device goes unmanaged. The solution identifies, detects, and handles all IT/OT/IoT devices to provide complete asset visibility. HAC-1 gathers various physical layer data parameters to generate a digital fingerprint for every hardware asset, identifying all assets for what they truly are, not just what they claim to be. Further, HAC-1 assesses the risk posture of every device and instantly detects those which are vulnerable. This is a feature augmented by the solution’s built-in threat intelligence database to ensure up-to-date protection.
HAC-1 integrates seamlessly with third-party tools to provide optimum ITAM and Configuration Management Database capabilities. The solution’s deep visibility acts as an additional data source to fill gaps in information. Thus improving data integrity to generate a complete and accurate hardware asset inventory. Additionally, HAC-1 capitalizes on asset visibility to protect the enterprise from perilous hardware attacks. The solution initiates an automated mitigation process against unauthorized and malicious devices, blocking such assets through third-party solutions. This approach further heightens the value of ITAM and a Configuration Management Database (CMDB).